Jamf Protect - Alerts
| Id | 6098daa0-f05e-44d5-b5a0-913e63ba3179 |
| Rulename | Jamf Protect - Alerts |
| Description | Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel |
| Severity | High |
| Required data connectors | JamfProtect |
| Kind | NRT |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml |
| Version | 1.0.6 |
| Arm template | 6098daa0-f05e-44d5-b5a0-913e63ba3179.json |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
severity: High
relevantTechniques:
requiredDataConnectors:
- dataTypes:
- jamfprotectalerts_CL
connectorId: JamfProtect
status: Available
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
alertDetailsOverride:
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertTacticsColumnName: Tactics
alertDynamicProperties:
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: Techniques
value: Techniques
alertSeverityColumnName: EventSeverity
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
name: Jamf Protect - Alerts
customDetails:
TargetBinarySignMsg: TargetBinarySigningInfoMessage
JamfPro_Status: JamfPro
Protect_Tags: Tags
Related_Binaries: TargetBinaryFilePath
TargetBinarySigner: TargetBinarySigningTeamID
Protect_Analytic: EventMessage
Protect_Event_Type: EventType
Related_File_hash: TargetBinarySHA256
TargetbinarySign: TargetbinarySignerType
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DvcHostname
identifier: HostName
- columnName: DvcOs
identifier: OSFamily
- columnName: DvcOsVersion
identifier: OSVersion
- entityType: IP
fieldMappings:
- columnName: Host_IPs
identifier: Address
- entityType: Process
fieldMappings:
- columnName: TargetProcessCurrentDirectory
identifier: CommandLine
- columnName: TargetProcessId
identifier: ProcessId
- entityType: FileHash
fieldMappings:
- columnName: algorithm
identifier: Algorithm
- columnName: TargetBinarySHA256
identifier: Value
version: 1.0.6
kind: NRT
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
suppressionDuration: PT5H
tactics:
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
enabled: false
lookbackDuration: PT5H
reopenClosedIncident: false
createIncident: true
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{EventResultMessage}} - Please investigate",
"alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}",
"alertDynamicProperties": [
{
"alertProperty": "ProviderName",
"value": "EventVendor"
},
{
"alertProperty": "ProductName",
"value": "EventProduct"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
}
],
"alertSeverityColumnName": "EventSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
"customDetails": {
"JamfPro_Status": "JamfPro",
"Protect_Analytic": "EventMessage",
"Protect_Event_Type": "EventType",
"Protect_Tags": "Tags",
"Related_Binaries": "TargetBinaryFilePath",
"Related_File_hash": "TargetBinarySHA256",
"TargetbinarySign": "TargetbinarySignerType",
"TargetBinarySigner": "TargetBinarySigningTeamID",
"TargetBinarySignMsg": "TargetBinarySigningInfoMessage"
},
"description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
"displayName": "Jamf Protect - Alerts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DvcHostname",
"identifier": "HostName"
},
{
"columnName": "DvcOs",
"identifier": "OSFamily"
},
{
"columnName": "DvcOsVersion",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "Host_IPs",
"identifier": "Address"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "TargetProcessCurrentDirectory",
"identifier": "CommandLine"
},
{
"columnName": "TargetProcessId",
"identifier": "ProcessId"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "algorithm",
"identifier": "Algorithm"
},
{
"columnName": "TargetBinarySHA256",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
"query": "jamfprotectalerts_CL\n| extend\n algorithm = \"SHA256\",\n Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),\n Tactics = case(input.match.tags has \"Execution\", \"Execution\", input.match.tags has \"Visibility\", \"Visibility\", input.match.tags has \"Persistence\", \"Persistence\", input.match.tags has \"LateralMovement\", \"LateralMovement\", input.match.tags has \"CredentialAccess\", \"CredentialAcccess\", input.match.tags has \"DefenseEvasion\", \"DefenseEvasion\", input.match.tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", input.match.tags has \"Impact\", \"Impact\", input.match.tags has \"CommandAndControl\", \"CommandandControl\", input.match.tags has \"Discovery\", \"Discovery\", input.match.tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(input.match.tags))),\n JamfPro = case(input.match.actions has \"SmartGroup\", \"Workflow with Jamf Pro\", input.match.actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"templateVersion": "1.0.6"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}